Sigurnost računala i podataka Mario Čagalj Sveučilište u Splitu 2013/2014. User Authentication Computer Security: Principles and Practice by William Stallings and Lawrie Brown Produced by Mario Čagalj User Authentication: Introduction Protective measures (e.g., access control, accountability) make sense only if we can identify and authenticate users Authentication validates user identity Often as prerequisite to allowing access to the system resources Authentication process consists of two steps Identification step Presenting an identifier to the system (e.g., userID, username) Verification (authentication) step Presenting or generating authentication information that binds the entity presenting the identifier and the identifier itself Distinct from message authentication 3 Means of Authentication There are four general means of authenticating a user’s identity Something the user knows Password, personal idnetification number (PIN) Something the user possesses Smart cards, physical keys, tokens Something the user is (static biometrics) Recognition by fingerprint, face, retina, iris Something the user does (dynamic biometrics) Recognition by voice pattern, hadwriting style, typing rhythm Can be used in combination All have advantages and issues 4 Password-Based Authentication Password Authentication Widely used user authentication method User provides name/login (username) and password System compares password with that saved for specified login Authenticates ID of user logging and provides security by Determining that the user ID is authorized to access system Determines the user’s privileges (e.g., admin or not) Is used in discretionary access control (e.g., a user owning a file may enable another entity to access this file – next lecture) 6 Password Vulnerabilities Offline dictionary attack Attacker obtains system password file (with password hashes) and compares password hashes against hashes of passwords from the dictionary Specific account attack Submit candidate passwords until the correct password discovered or until the account is locked (e.g., after 3 failed attempts) Popular password attack Try popular passwords against a range of user IDs Password guessing against single user Make educated guesses based on knowledge about the user (age, gender, marital status, ...) 7 Password Vulnerabilities Workstation hijacking Steal unlocked workstation and use e.g. Cain&Abel to recover the password Exploiting user mistakes Passwords written down, shared, social engineering Exploiting multiple password use Password reuse problem (due to cognitive overload) Electronic monitoring Intercept passwords communicated across a network (simple and naive encryption does not help here) 8 Password Vulnerabilities: Examples Watch this video http://vimeo.com/2007855 (Compromising EM Emanations of Keyboards) Oakland - [Backes2008] 9 Storing Passwords Passwords are never stored in clear text The risk of theft would be great Instead, a hash of a password is stored Recall, hashing is a one-way function which gives a unique and unreversable result (hash value, message digest) If a user provedes a correct password, its hash must be identical to the hash stored (previously) in the password file Cleartext password Password file One-way function (e.g., hash or encryption) User ID “Hashed” password Password-based authentication in Unix and Windows 10 Passwords in Unix Unix Password Scheme To load (create) a new password into the system The user selects or is assigned a password This password is combined with a fixed-length salt value Salt Password file Password Slow hash function User ID Salt Hash value Bob 7a ri79KNd7v6.Sk Loading a new password Load User ID Password file Select User ID Salt Hash value Bob 7a ri79KNd7v6.Sk Salt Password Slow hash function Verifying a password Compare Hash value 12 Unix Password Scheme: Salt Values Offline dictionary attack Assume: the goal is to guess a single pwd & salt not used Attacker obtains a copy of the password file Attacker hashes likely candidate passwords and compare obtained hash values with the ones in the password file If any of the guesses matches one of the hashes in the file, the attacker has found a password that is in the file The salt value serves three purposes Prevents duplicate passwords to be visible in password file Increases difficulty of offline dictionary attacks (k bits salt increases guessing load by a factor of ~2k) Not possible to find out whether a user with passwords on two or more systems has used the same passwords on all of them 13 Unix Hashed Pwd Implementation The original scheme (crypt(3) routine) 8 character password form 56-bit secret key 12-bit salt perturbs DES encryption algorithm in one of 4096 different ways 0 value repeatedly encrypted 25 times (slows down guesses) Output translated to 11 character sequence Salt 12 bits (2 characters) am Zeros 64 bits DES hiOY1vb4nIE Hash 64 bits (11 chars) test 56 bits (up to 8 characters, only 7 bits of each char is taken) pwd salt crypt(3) hash test am hiOY1vb4nIE test ri j.uEL2QOTHU test 7a FB/N4.DacNU 14 Unix Password Hashes crypt(3)-based implementation is inadequate today 8 chars (i.e., 56 bits) are are simply too few Dictionary attack investigated using the Blue Horizon supercomputer Precomputed and stored 207 billion hashes (~1.5 TB) for over 50 milion passwords in about 80 min (207 x 109 / 50 x 106 approx. 4096 – #salt values) Time-memory tradeoffs Effective when salt is not used (Oechslin’03 showed that using 1.4GB of data – rainbow tables - Windows LM hashes broken in <14 sec) Better hashes for Unix Modern Unix systems based on MD5 hashes instead of DES hashes Advantages: Passwords can have more than 8 characters Produces 128 bit hash values Longer salt values (48 bits) “Very” slow (1000 inner loops) 15 Password File Access Control Old method: names and hashes are stored in /etc/passwd Free for anybody to read Opens up for easy offline dictionary attack Safer method: the hashes stored in separate file /etc/shadow Only root can access to this file root:x:0:0:root:/root:/bin/bash mcagalj:x:1001:1001:,,,:/home/mcagalj:/bin/bash root:aQtsvOTXjNRbY:10919 mcagalj:HYy0b0xFEWIZw:10919: Theft of Unix Hashes Goal: gain access to /etc/shadow Boot the machine on a CD Obtain root privileges (e.g., by using an exploit) 16 Logon and Authentication in Windows Logon Authentication Scenarios There are four types of logon processes in Windows 2000, Windows Server 2003/08 and Windows XP Professional Interactive logon Logs on to a local computer to which you have direct physical access (includes terminal services and remote desktop logon processes) Network logon Controls access to a system running different Windows operating systems across the network from the computer where you logged on Service Authenticates and autheorizes different Windows services Batch Reserved for batch jobs (e.g., big print spools, bank account reconciliation); rarely used 18 Interactive Logon: Windows Server 2003 Interactive logon begin with the secure attention sequence CTRL+ALT+DEL GINA DLL generates logon dialog box User logs on using either local or domain account User enters user name and password (alternatively, a smart card- requires external device- and PIN) Local logon Authorizes access to local computer and resources Security Account Manager (SAM) DB holds account info (e.g., pwd hashes) Domain logon Give access to domain resources; account info in Active Directory domain Single Sign On (SSO) – one time logon Cached Credentials – once successfully authenticated, allows access to resources even when the domain controller not avaliable 19 Interactive Local and Domain Logon Local logon LSA: Local Security Authority Domain logon 20 Local Security Authority (LSA) LSA is a Windows security subsystem that authenticates and logs users on to the local computer Manages local security policy E.g., which domains are trusted, who can have access to the system, who is assigned what rights, what security auditing is performed Provides interactive user authentication services Generates access tokens Manages the audit policy 21 LSA Architecture DLLs responsible for individual authentication mechanisms NTLM (Msv1_0.dll) Digest (Wdigest.dll) Kerberos (Kerberos.dll) TSL/SSL (Schannel.dll) 22 Primary Authentication Protocols in WinNT4.0, WinXP Pro, Win2K, WinSrv03 Microsoft Windows supports various methods to authenticate a user (or a computer) Kerberos protocol is the core Since the introduction of Windows 2000 Enables mutual authentication between client (user,computer,service) and server Secure and scalable LSA acts as a proxy between a client and Kerberos Key Distribution Service (KDS) that issues service granting tickets to the client NTLM protocol (3 methods of challenge/response authentication) Default in WindowsNT 4.0, also included in WinSrv03 for compatibility with versions earlier than Windows 2000 LAN Manager (LM) NTLM version 1 NTLM version 2 In this lecture we focus on (in)security of NTLM protocol 23 NTLM vs Kerberos Login Process NTLM: Kerberos: 24 NTLM: LM Hash (e.g., in WinXP) LM authentication based on weak cryptographic procedures User ASCII password converted to uppercase Password null-padded or truncated to 14 bytes The “fixed-length” password is split into two 7-byte halves These two values are used to create two DES keys One from each 7-byte half, by converting the seven bytes into a bit stream, and inserting a null bit after every seven bits (so 1010100 becomes 01010100); this generates the 64 bits needed for the DES key. Each of these keys is used to DES-encrypt the constant ASCII string KGS!@#$%, resulting in two 8-byte ciphertext values These two ciphertext values are concatenated to form a 16-byte value, which is the LM hash The resulting LM hash stored in the SAM (Security Accounts Manager) database (locally or at the domain controller) 25 NTLM: LM Hash Insecurity Password characters are restricted to the ANSI printable character set (95 characters) Passwords longer than 7 characters are divided into two pieces and each piece is hashed separately (truncated to 14 bytes) Brute-force complexity There are 9514 ~ 292 passwords with 14 printable characters But, 957 ~ 246 passwords with 7 printable characters (one half) Only uppercase characters used 697 ~ 243 (breakable in few hours!) LM hash does not include salt, therefore a time-memory trade- off cryptanalysis attack, such as rainbow tables, is also feasible TMTO-based attacks break LM hashes in matter of seconds! 0phcrack, Cain&Abel 26 NTLM: NTLM version 1 NTLMv1 developed to replace the weaker LAN Manager Take a password (respects upper and lowercase) Calculate the MD4 of it – 128 random bits (16 bytes) 292 passwords with 14 printable characters Store this value – NTLM Hash 27 NTLM: Network Login with NTLMv1 Used to authenticate Web site users, file share access, printer access, RPC calls, etc. Challenge-response authentication Domain controller (server) sends a random challenge to the workstation of the user The workstation encrypts the challenge with the NTLM hash of the password and sends it to the controller (server) The controller does the same operation using the NTLM hash stored locally and compares the results 28 NTLMv1 Challenge/Response Details How NTLM Hash & Challenge NTLMv1 Response MD4 of password=0x0123456789ABCDEFFEDCBA9876543210 Broken into three “Key Chunks” Key 1: 0123456789ABCD Key 2: EFFEDCBA987654 Key 3: 32100000000000 NTLMv1 Response = DES(Key1, Challenge) + DES(Key2, Challenge) + DES(Key3, Challenge) 29 NTLMv1: Some Security Issues Response generation requires only the NTLM Hash (the password authenticator) NTLM Hash is password equivalent (not the case in Unix - salt) NTLM Hash exposure is therefore catastrophic login without pwd! Weak DES cipher is used Effort to try all DES keys: 2 x 256+216 ~ 257 for all three portions of the NTLM Response 10 character alphabetic mixed case password has about 257 possibilities Therefore for longer passwords, easier to bruteforce DES Active man-in-the-middle Attacker provides known challenge and launch pre-computed dictionary attacks 30 NTLMv1: Other Shortcomings in Windows NT/2k By default NT workstations send two responses to the challenges One using NTLM Hash One using LM Hash (for backward compatibility)! Show Wireshark traces here 31 NTLM: NTLM version 2 NTLMv2 significantly improves authentication of NTLM NTLMv2 Challenge/Response Details Both client and server generate random challenges CS = 8-byte server challenge, random CC = 8-byte client challenge, random CC* = (X, time, CC, domain name) Prevents pre-computed dictionary attacks MD4 hash of a password Calculate NTLMv2 Response v2-Hash = HMAC-MD5(NTLM Hash, user name, domain) NTv2 = HMAC-MD5(v2-Hash, CS, CC*) NTLMv2 Response = CC | NTv2 | CC* 32 LM, NTLMv1 and NTLMv2 Comparison LM Password case No sensitive Hash key length 56 + 56 bit NTLMv1 NTLMv2 Yes Yes - - Password hash DES (ECB mode) MD4 algorithm MD4 Hash value length 64 + 64 bit Chall.-Resp. key length 56 + 56 + 16 bit 56 + 56 +16 bit 128 bit Chall.-Resp. algorithm DES (ECB mode) DES (ECB mode) HMAC_MD5 Chall.-Resp. value length 64 + 64 + 64 bit 64 + 64 + 64 bit 128 bit 128 bit 128 bit 33 From Windows 2000 on - Network Login In a native W2k enviroment, the Kerberos protocol is used to carry out network logins Kerberos authenticates both the user and the server (no more man-in-the-middle attacks) The user is authenticated by the NTLM hash of the password The server is authenticated by a password known by all workstations in the given domain The user is issued lifetime limited access tickets One Ticket-Granting-Ticket (TGT) Many service tickets using TGT No need of re-authentication to access a service as long as TGT is valid (single sign-on) Kerberos protocol is very secure 34 Storing of Hashes in NT and 2k The NTLM and LM hashes of all users are stored in the SAM file or in the Active Directory (ntds.dit) Since W2k SP2 it is possible to deactivate LM hash generation WinXP Profess. (Win7 on slide 27) The file containing the hashes is locked by the kernel at startup Can be stored at several locations! 35 Storing of Hashes in NT and 2k Since NT SP3 the SAM can be encrypted (default in W2k) Microsoft©Syskey utility If not encrypted, one can steal hashes by rebooting from CD If encrypted, administrator rights are needed to steal the hashes (using a tool like pwdump) 36 Protective Measures(Administrator) Use only pure Unix or Win2k or higher networks Deactivate LM hash generation (e.g., Win7) Secure the file containing the hashes Windows: use syskey utility Unix: use /etc/shadow Use Kerberos protocol whenever possible Restrict physical access to servers containing hashes Apply all latest security patches and service packs Apply tools that force users to chose strong passwords Audit the passwords regularly 37 Security Tokens 9.11.2010. Security Tokens (something you have) Objects that a user possesses for the purpose of user authentication are called (authentication) tokens The system can verify that a user owns a unique token Two-factor authentication E.g. the combination of a password (something you know) and a token (something you have) considerably increases security Examples: Scratch lists SecureID tokens (display a new 6 digit number every minute) Calculators Magnetic and smart cards 39 Example: Secure Internet Banking Offline card reader User knows User owns Hiltgen et al. “Secure Internet Banking Authentication”, IEEE Security & Privacy, 2006 40 Biometric Authentication 9.11.2010. Biometrics (something you are) Science of measuring physical characteristics of human beings A biometric authentication system attempts to authenticate an individual based on unique physical characteristics Human physical characteristics Fingerprint Shape of a hand Iris Retina DNA Face... Human behavior Dynamics of signature (speed, preasure, direction) Voice Keyboard usage 42 Operation of a Biometric System 43 Biometric Accuracy Biometric system Physical characteristics of the user mapped into a digital representation For each user a single representation (template) stored in the computer When user is to be authenticated, the system compared stored template to the presented template Given the complexities of physical characteristics, we cannot expect the exact match between the two templates Therefore, the system uses algorithms to evaluate a matching score (e.g., expresses as a single number) It is hard to create a perfect biometric system Too sensitive too many false negatives (false nonmatch) Unsensitive too many false positives (false match) 44 Biometric Accuracy Biometric system Physical characteristics of the user mapped into a digital representation For each user a single representation (template) stored in the computer When user is to be authenticated, the system compared stored template to the presented template Given the complexities of physical characteristics, we cannot expect the exact match between the two templates (not possible to hash) Therefore, the system uses algorithms to evaluate a matching (similarity) score (e.g., expresses as a single number) between the two templates The problem: the similarity score will vary over different authentication sessions for the given user Basic question: how to set the sensitivity of the system? E.g., what the threshold similarity score should be in order to grant the user an access to the system? 45 Biometric Accuracy Too sensitive too many false negatives (false nonmatch, reject) Unsensitive too many false positives (false match, accept) By decreasing one, the other increases (and vice versa) http://www.bromba.com/faq/biofaqe.htm 46 Biometric Accuracy For a given biometric scheme, we can plot the false match versus false non-match rate, called the operating characteristic curve NOTE: Logarithmic scale is used. Equal Error Rate How to pick a threshold matching score depends on application E.g., pick a threshold that corresponds to the point on the curve where false positive rate = false negative rate 47 Biometric Discussion Shortcomings Information is never identical not possible to hash (neither for storage nor for storage) Risk of theft Not possible to change a stolen finger Some scanners can be fooled or replaced Ideal applications Physical access control Authentication for payments at a cash register 48